b'Office of Inspector General\n     Audit Report\n\n\nFISMA 2012: ONGOING WEAKNESSES\n IMPEDE DOT\xe2\x80\x99S PROGRESS TOWARD\nEFFECTIVE INFORMATION SECURITY\n      Department of Transportation\n\n        Report Number: FI-2013-014\n       Date Issued: November 14, 2012\n\x0c           U.S. Department of\n                                                                       Memorandum\n           Transportation\n           Office of the Secretary\n           of Transportation\n           Office of Inspector General\n\n\nSubject:   ACTION: FISMA 2012: Ongoing Weaknesses                                                   Date:    November 14, 2012\n           Impede DOT\xe2\x80\x99s Progress toward Effective\n           Information Security\n           Report Number: FI-2013-014\n\n  From:    Calvin L. Scovel III                                                                 Reply to\n                                                                                                Attn. of:    JA-20\n           Inspector General\n\n    To:    Acting Chief Information Officer\n\n           The Department of Transportation\xe2\x80\x99s (DOT) operations rely on more than 400\n           information technology (IT) systems\xe2\x80\x94nearly two-thirds of which belong to the\n           Federal Aviation Administration (FAA). These systems represent an annual\n           investment of approximately $3 billion\xe2\x80\x94one of the largest IT investments among\n           Federal civilian agencies. Moreover, the Department\xe2\x80\x99s financial systems manage\n           and disburse approximately $90 billion in Federal funds annually. Recently, the\n           Government confirmed that foreign cyber hackers have successfully gained access\n           to some critical Federal infrastructure systems.\n\n           To protect the IT systems that support Federal operations, the Federal Information\n           Security Management Act (FISMA) of 2002 requires agencies to develop,\n           document, and implement departmentwide information security programs. FISMA\n           also requires agency program officials, chief information officers (CIO), and\n           Inspectors General to conduct annual reviews of their agency\xe2\x80\x99s information\n           security programs, and report the results to the Office of Management and Budget\n           (OMB). As part of this review, OMB requires Inspectors General to use 96\n           security metrics in 11 security areas to assess their agency\xe2\x80\x99s performance.\n\n           Consistent with FISMA and OMB requirements, our overall audit objective was to\n           determine the effectiveness of DOT\xe2\x80\x99s information security program and practices.\n           Specifically, we assessed DOT\xe2\x80\x99s (1) information security policy and procedures;\n           (2) enterprise-level information security controls; 1 (3) system-level security\n\n\n           1\n               For purposes of this report, enterprise-level controls include security training, incident response and reporting, capital\n               planning and investment control, and configuration management, and are generally not system-specific.\n\x0c                                                                                                            2\n\n\ncontrols; and (4) management of information security weaknesses. Also, as\nrequired by OMB, we provided our results via its Web portal. 2\n\nTo conduct our audit and address OMB\xe2\x80\x99s 96 metrics, we tested a statistical sample\nof 58 of 420 systems, performed analytical reviews of data contained in the\nDepartment\xe2\x80\x99s Cyber Security Assessment and Management system (CSAM), 3\ntested software settings in 56 general support systems, reviewed supporting\ndocumentation, and interviewed departmental officials. We conducted this audit\nbetween February and October 2012 in accordance with generally accepted\nGovernment auditing standards. Exhibit A details our scope and methodology.\n\nRESULTS IN BRIEF\n\nSince our 2011 review, DOT has made improvements to its security controls.\nNotably, it took steps to enhance the Department\xe2\x80\x99s cyber security policy and\nguidance, established a repository for software security baselines, and acquired\nsophisticated software to improve its monitoring of security. However, the\nDepartment has not implemented many of the recommendations we made over the\npast several years that would permit it to meet Federal IT security requirements,\nspecifically 21 of 35 open recommendations made since 2009 remain open (see\nExhibit B). As a result, the Department\xe2\x80\x99s information systems remain vulnerable\nto serious security threats and risks due to the following continued deficiencies in\nDOT\xe2\x80\x99s information security policies, procedures, controls, and remediation\nmeasures:\n\n1. The Office of the Chief Information Officer (OCIO) has completed its high-\n   level security policy and direction to operating administrations (OA) to\n   develop their internal procedural guidance to manage information security\n   effectively. However, the OAs\xe2\x80\x99 CIOs are still in the process of completing\n   information security procedures for several key areas, including capital\n   planning for IT security. These gaps in DOT procedures have contributed to\n   the other weaknesses we identified.\n\n2. DOT\xe2\x80\x99s enterprise-level controls\xe2\x80\x94those that must be implemented\n   Departmentwide\xe2\x80\x94are still inadequate to ensure (1) that all contractors receive\n   required security training, (2) sufficient coverage of DOT networks for\n   detecting and reporting security incidents to the Department of Homeland\n   Security (DHS), (3) reported incidents are remediated promptly, and (4)\n   configuration baselines and configuration changes are appropriately managed.\n   The Department took a key step in creating a repository of approved secure\n2\n    OMB has designated this information as \xe2\x80\x9cFor Official Use Only.\xe2\x80\x9d Consequently, our submission to OMB is not\n    contained in this report.\n3\n    CSAM tracks the system inventory, weaknesses, and other FISMA security information.\n\x0c                                                                                                                   3\n\n\n    software settings. Still, based on our testing of the 340 randomly selected\n    computers, we estimate that 63 percent 4 satisfy the requirements for control\n    setting compliance, a decline of approximately 7 percentage points from 2011.\n    In addition, enterprise-level cyber security risks have not been addressed, and\n    security costs were not considered when planning IT investments. For\n    example, DOT requested $113 million for IT security as part of its budget\n    process; however, these requests were not supported by a capital planning\n    process or linked to an enterprise architecture (EA). 5\n\n3. The Department\xe2\x80\x99s system-level controls are also insufficient to protect its\n   systems\xe2\x80\x99 security and ensure that systems can be recovered in the event of a\n   serious breach. Deficiencies remain in certification and accreditation (C&A),\n   contingency plan testing, and monitoring of security controls for changes. For\n   example, we project that 118 of 420 systems 6 had incomplete C&A\n   documentation. We also project that OAs did not complete contingency testing\n   for 202 systems. 7 Furthermore, the Department does not coordinate shared\n   system security controls, and lacks adequate controls over continuous\n   monitoring, oversight of contractor-operated systems, remote access, and\n   account management. For example, the Department continues to be deficient in\n   implementing the use of two-factor authentication to secure remote access to\n   its systems. To better monitor weaknesses and enhance system security, the\n   Department has acquired a highly complex software tool which, if\n   implemented properly, will enable management to more quickly identify and\n   remediate security threats.\n\n4. The Department still lacks an effective process for timely remediation of\n   security weaknesses. Of the 5,265 open plans of action and milestones\n   (POA&M), 2,161 had passed their due dates for resolution; 432 are a year\n   overdue.\n\nWe are making a series of recommendations to help the Department establish and\nmaintain an effective information security program\xe2\x80\x94one that complies with\nFISMA, OMB, and other requirements.\n\n\n\n\n4\n  Our estimate has a margin of error of +/-26 percentage points at the 90 percent level of confidence.\n5\n   An EA defines the agency\xe2\x80\x99s mission, the information and technologies necessary to perform the mission, and the\n  transitional processes for implementing new technologies in response to changing mission needs. EA includes a\n  baseline (as-is) and target (to-be) architecture, and a sequencing plan.\n6\n  Our estimate has a margin of error of +/-38 systems or 9.0 percentage points at the 90 percent level of confidence.\n7\n  Our estimate has a margin of error of +/-51 or 12.2 percent at the 90 percent level of confidence.\n\x0c                                                                                                                  4\n\n\nBACKGROUND\n\nFISMA requires each Federal agency\xe2\x80\x99s information security program to secure the\ninformation and information systems that support the agency\xe2\x80\x99s operations,\nincluding those provided or managed by another agency, a contractor, or other\nentity. FISMA also requires each agency to report annually to OMB, Congress,\nand the Government Accountability Office (GAO) on the effectiveness of its\ninformation security policies, procedures, and practices. In its Circular A-130,\nAppendix III, \xe2\x80\x9cSecurity of Federal Automated Information Resources,\xe2\x80\x9d OMB\nrequires Federal agencies to plan for security, ensure that appropriate officials are\nassigned security responsibilities, periodically review the security controls in their\ninformation systems, and authorize system processing prior to operations and\nperiodically thereafter.\n\nDOT\xe2\x80\x99s 13 OAs collectively manage 428 information systems, about two-thirds of\nwhich are managed by FAA (see Exhibit C). DOT relies on these systems to carry\nout its complex mission, including ensuring safe air traffic control operations,\npreventing unqualified drivers from obtaining commercial driver\xe2\x80\x99s licenses, and\nidentifying safety defects in vehicles, as well as protecting billions of dollars in\nfunds for highway reconstruction, high-speed rail development, and law\nenforcement grants.\n\nSince 2002, we have reported on weaknesses in DOT\xe2\x80\x99s information security\nprogram and practices. In our three most recent reports, we reported the following:\n\n\xe2\x80\xa2 November 2009: We reported that DOT had issued its information security\n  policy\xe2\x80\x94the first step in the development of a sustainable information security\n  program\xe2\x80\x94and improved its Common Operating Environment\xe2\x80\x99s 8 (COE)\n  compliance with the Federal Desk Core Configuration (FDCC). 9 However, the\n  Department had not made sufficient progress in other areas. Its security\n  program did not meet all Federal requirements and was not as effective as it\n  should have been. 10\n\n\xe2\x80\xa2 November 2010: We reported that the Department had successfully provided\n  security awareness training to over 90 percent of its employees, but had not\n  made sufficient progress in other critical areas. 11 In its assurance letter to the\n\n8\n   COE is a network that provides DOT headquarters and most OAs with common IT services, such as e-mail.\n9\n   FDCCs are security configuration settings developed by the National Institute of Standards and Technology (NIST),\n   the Department of Defense, and DHS for certain Windows operating systems. OMB has mandated agencies to adopt\n   these settings. Subsequently, the FDCCs were expanded and called the United States Government Configuration\n   Baseline (USGCB).\n10\n   OIG, Audit of DOT\xe2\x80\x99s Information Security Program and Practices, FI-2010-023, November 18, 2009.\n11\n   OIG, Timely Actions Needed to Improve DOT\xe2\x80\x99s Cybersecurity, FI-2011-022, November 15, 2010.\n\x0c                                                                                                                        5\n\n\n      President, the Department reported that its non-compliance with FISMA during\n      2010 constituted a material weakness in internal controls.\n\n\xe2\x80\xa2 November 2011: We reported that the Department had made some\n  improvements in its cyber security. It had developed comprehensive cyber\n  security policy for the entire Department, except for the Office of the Secretary\n  (OST), and reported all major security incidents to DHS. However, it had not\n  corrected weaknesses in its information security procedures, enterprise-level\n  and system-level controls, and management of corrective actions. 12 Overall,\n  the Department\xe2\x80\x99s information security system was still not effective.\n\nThe most significant change to this year\xe2\x80\x99s metrics is that DHS categorized each\nmetric as a President\xe2\x80\x99s Administration priority, a key FISMA metric, or a baseline\nquestion 13 to assist agencies in prioritizing actions to address information security\nweaknesses.\n\nDESPITE IMPROVEMENTS, DOT\xe2\x80\x99S INFORMATION SECURITY\nPOLICIES AND PROCEDURES REMAIN INCOMPLETE\n\nFISMA requires each department\xe2\x80\x99s CIO to develop and maintain information\nsecurity policies, procedures, and control techniques to address security\nrequirements. In prior reports, we recommended revisions to DOT\xe2\x80\x99s policies that\ndirect its OAs\xe2\x80\x99 security efforts. During 2012 and in response to our\nrecommendations, OCIO:\n\n\xe2\x80\xa2 issued a cyber security policy for OST;\n\xe2\x80\xa2 issued the Interim Security Weakness Management Guide;\n\xe2\x80\xa2 issued the FISMA Inventory Guide which defines information systems and\n  provides guidance on how to identify them; and\n\xe2\x80\xa2 developed a SharePoint site to collect OA cyber security procedures.\n\nAlso, in response to our prior three reports, OCIO delegated authority to the OAs\nto develop supplemental guidance for how to effectively and consistently\nimplement information security. However, as of the end of fiscal year 2012, the\nguidance remains incomplete. The CIO informed us that his office will review\neach OA\xe2\x80\x99s guidance, once developed, to ensure it aligns with Departmental policy.\nTable 1 highlights the most important areas that remain outstanding.\n\n12\n     OIG, Persistent Weaknesses in DOT\xe2\x80\x99s Controls Challenge the Protection and Security of Its Information Systems,\n     FI-2012-007, November 14, 2011.\n13\n     Administration Priorities are metrics for Trusted Internet Connection capabilities and utilization, mandatory\n     authentication and Personal Identify Verification (PIV), and continuous monitoring. The next tier is Key FISMA\n     Metrics which include areas such as cloud, remote access, and incident detection. The final tier is Baseline metrics,\n     which are used to establish current performance to be used to evaluate future performance.\n\x0c                                                                                                                     6\n\n\nTable 1: Most Significant Deficiencies in Procedures\nFISMA Security Program Area                           OIG Evaluation\nCertification and Accreditation (C&A) of Controls\nThe assessment of security controls to                Procedures for accepting and monitoring shared\ndetermine if the controls have been                   security controls have not been developed.\nimplemented effectively.\nContinuous Monitoring of Controls\nPart of the security authorization process            Procedures are in draft and require additional detail\nto ensure that controls remain effective              to guide OA personnel in the development of\nover time.                                            monitoring practices.\nCapital Planning and Investment\nPolicy and procedures that ensure that                Procedures for management of security costs as\nsecurity funding is incorporated into                 part of IT capital planning are not developed. In\nsystem budgeting.                                     addition, there are not procedures to develop an EA.\nSource: OIG Analysis\n\nThe lack of adequate procedures on security requirements creates the possibility\nthat security controls will not be properly applied throughout the Department to\nprotect information systems. Absence of procedures has contributed to the other\nweaknesses we identified.\n\nDOT CONTINUES TO LACK THE ENTERPRISE-LEVEL\nCONTROLS NEEDED TO SAFEGUARD ITS IT SYSTEMS\n\nDOT\xe2\x80\x99s enterprise-level controls are still inadequate to ensure that contractors\nreceive required security training, security incidents are detected and reported,\nconfiguration baselines are appropriately managed, risks are addressed at all levels\nof the Department, and that security costs are considered when planning IT\ninvestments.\n\nDOT Cannot Accurately Track Contractors\xe2\x80\x99 IT Security Training\n\nFISMA requires agencies to develop and maintain a comprehensive security\ntraining program that ensures that all computer users 14 are adequately trained in\ntheir security responsibilities before they are allowed access to agency information\nsystems. In prior years, we have reported that DOT\xe2\x80\x99s controls for tracking the\nnumber of contractors it has employed are inadequate, resulting in the inability to\ntrack training completion for contractors. Over the past year, OCIO has taken a\nsignificant step in this area by entering a memorandum of understanding with\nFAA that requires FAA to maintain a Web site, Sat.DOT.Gov, where all DOT\ncontractors can take the required security awareness training. FAA also maintains\n14\n     Users may include employees, contractors, foreign or domestic guest researchers, other agency personnel, visitors,\n     guests, and other collaborators or associates requiring access.\n\x0c                                                                                                                       7\n\n\na repository of statistics on about 13,000 DOT contractors who have received\nsecurity awareness training.\n\nHowever, DOT cannot ensure that all contractors are taking required training due\nto several weaknesses. First, OAs do not reconcile the number of contractors on\nboard to those who FAA reports as having received training. Second, DOT lacks a\nrobust process to ensure all contractors are identified. Third, some contractors\ncannot access Sat.DOT.Gov for various reasons, including a lack of user\nidentifications and passwords for log in. Finally, DOT does not address security\ntraining for contractors who do not have access to systems because of services\nthey provide, such as security guards. The lack of proper computer security\ntraining for contractors creates a risk for several vulnerabilities, including ID and\npassword sharing, acceptance of malicious code through phishing or social\nengineering, poor password development, and Internet misuse.\n\nDOT\xe2\x80\x99s Incident Reporting and Remediation Process Remain\nInsufficient\n\nDOT policy requires the Department\xe2\x80\x99s Cyber Security Management Center\n(CSMC) to have full network visibility over all DOT systems, including systems\noperated on behalf of the OAs by contractors and other government organizations.\nCSMC reported that from October 1, 2011, to September 14, 2012, it successfully\nremediated 1,969 incidents. However, it does not monitor all departmental\nnetworks\xe2\x80\x94including the United States Merchant Marine Academy\xe2\x80\x99s (USMMA)\nnetwork and many of FAA\xe2\x80\x99s networks\xe2\x80\x94for intrusions. These monitoring gaps\nimpede CSMC\xe2\x80\x99s ability to ensure all incidents are reported to US-CERT 15 as\nrequired by OMB and to remediate all possible security incidents.\n\nOMB requires agencies to respond to incidents in a timely manner to minimize\nfurther damage. However, DOT policy does not address remediation timeframes.\nIn some cases, the time it took to complete remediation appears excessive given\nthe risks involved. For example, remediation of unauthorized access\n(Category 1) 16 averaged 20 days; while incidents of malicious code (Category 3)\naveraged 17 days (see Table 2).\n\n\n\n\n15\n      The United States Emergency Readiness Team\xe2\x80\x94or US-CERT\xe2\x80\x94is a system managed by the Department of\n     Homeland Security to coordinate cyber information sharing and proactively manage cyber risks to the Nation while\n     protecting its citizens\xe2\x80\x99 constitutional rights.\n16\n     Incidents are classified into categories to simplify incident reporting to US-CERT. The categories do not prioritize\n     timeframes for remediation.\n\x0c                                                                                                           8\n\n\nTable 2: CSMC\xe2\x80\x99s Remediation of Security Incidents during Fiscal\nYear 2012, by Category\n                           a\nUS-CERT Category                                               Remediated       Average Days to\n                                                                 Incidents           Remediate\n    0 Exercise/Network Defense Testing                                     6                       2\n1 Unauthorized Access                                                   151                       20\n3 Malicious Code                                                      1,320                       17\n4 Improper Usage                                                        274                       10\n5 Scans/Probes/Attempted Access                                           72                      14\n6 Investigation                                                         146                       21\nSource: OIG Analysis\na\n    No incidents in Category 2 (Denial of Services) were reported.\n\n\nThe lack of comprehensive network monitoring makes it difficult for DOT to\nensure that all security incidents are detected, reported, and resolved. Furthermore,\nthe lack of timeframes for resolution increases the risk that critical incidents will\nnot be resolved in a timely manner and expose systems to unnecessary\ncompromise for an excessive amount of time.\n\nDOT Has Not Made Progress in Meeting Configuration Standards\n\nOMB requires compliance with minimally acceptable system configuration\nrequirements for commercial software. Configurations that meet these\nrequirements provide a baseline level of security and ensure the efficient use of\nresources. To improve the Department\xe2\x80\x99s compliance, OCIO created a repository of\napproved software configurations and a process to review departures from the\nrequired settings. However, we found deficiencies in DOT\'s compliance with the\nU.S. Government Configuration Baseline (USGCB) settings, and incomplete\nimplementation of other configuration standards throughout the Department.\nInadequately configured software also increases security vulnerabilities that could\nimpact DOT\xe2\x80\x99s mission and business operations.\n\nOAs\xe2\x80\x99 Commercial Operating Systems Do Not Comply With USGCB\nSecurity Requirements\n\nOMB requires agencies to adopt USGCB for Microsoft Windows operating\nsystems and to assess compliance with these requirements. OMB further requires\nagencies to be 100 percent compliant. However, not all DOT systems are\nconfigured to meet these requirements. We selected a statistical sample of 1,257 of\n82,963 17 computers from all OAs except the Surface Transportation Board\n\n17\n     We obtained the universe of computer devices from a proprietary database known as Active Directory.\n\x0c                                                                                                                     9\n\n\n(STB). 18 OAs could not locate 917 of the 1,257 computers. Based on this, we\nestimate that OAs could not find or test 56.4 percent, or 46,791 19 of 82,963 total\ncomputers during compliance scanning. As a result, OAs cannot determine if these\ncomputers comply with USGCB settings. We tested the remaining 340 sampled\nWindows computers for these settings. Based on this, we estimate that 63\npercent 20 of the approximately 36,150 available Windows computers in the\nDepartment\xe2\x80\x99s universe of computers and servers 21 met baseline settings. This is a\ndecline of 7 percentage points from 2011. See Table 3 for details on the controls\nthat passed and failed.\n\nTable 3: Results of Sample Testing on USGCB for Windows\nOperating Systems\nComponent General Support                       Computers          Tested        Passed          Failed      Percent\n       a\nSystems                                           Sampled                                                    Passed\n\nFAA                                                      127        27,981        14,781        13,200           53%\nFederal Motor Carrier Safety\nAdministration (FMCSA) Field Sites                         54        8,928         5,331          3,597          60%\n         b\nCOE                                                        60       14,454         5,079          9,375          35%\nJohn A. Volpe National\nTransportation Systems Center                              36        6,304         3,326          2,978          53%\nUSMMA                                                      17        4,437         4,346             91          98%\nOIG                                                        46       11,960        11,465            495          96%\nTotals                                                   340        74,064        44,328        29,736\nSource: OIG Analysis\na\n     OMB Circular A-130, Appendix III, defines general support system as an interconnected set of information resources\n      under the same direct management control that shares common functionality.\nb\n     The Department\xe2\x80\x99s consolidated OAs\xe2\x80\x99 common network infrastructures (email, desktop computing and local area\n      networks) into a common IT infrastructure.\n\nOne of the Department\xe2\x80\x99s controls for ensuring the use of these approved\nconfiguration settings is the application of uniform approved USGCB settings to\nall workstations. However, we found that these settings varied between\nworkstations. For example, we found up to 45 different settings on workstations\nwithin FAA, the Maritime Administration (MARAD), the National Highway\nTraffic Safety Administration (NHTSA), and the Federal Highway Administration\n(FHWA).\n\nIn addition, DOT\xe2\x80\x99s reports on its maintenance of USGCB baseline security\nsettings, which OMB requires departments to submit monthly, have been\n\n18\n   The STB CIO did not provide information due to IT resource constraints. Exhibit C defines STB obligation to\n   comply with DOT requirements.\n19\n   Our estimate has a margin of error of +/-5.2 percentage points at the 90 percent level of confidence.\n20\n   Our estimate has a margin of error of +/-26 percentage points at the 90 percent level of confidence.\n21\n   We tested to verify USGCB settings for the Windows Operating System.\n\x0c                                                                               10\n\n\nincomplete. For example, COE and CSMC reports showed that tests for USGCB\nsettings were not run or were incomplete for two-thirds of the COE and CSMC\nworkstations in our sample. This occurred in part because some workstations\nunder COE\xe2\x80\x99s responsibility were not configured to allow automated testing.\n\nOAs\xe2\x80\x99 Configuration Management Procedures Do Not Comply With OMB\nPolicy\n\nOMB requires agencies to develop configuration management policies that include\napproval and documentation of configuration changes to both hardware and\nsoftware. In addition, OMB recommends the use of automated tools to manage\nand communicate configuration changes. However, STB did not provide adequate\nevidence of approvals for system changes. Furthermore, the Federal Motor Carrier\nSafety Administration\xe2\x80\x99s (FMCSA) field sites do not use computer applications to\ntrack and record network changes; this is performed manually.\n\nNHTSA and the Saint Lawrence Seaway Development Corporation (SLSDC) rely\non COE for all of their configuration management controls. However, the\nDepartment has not implemented a number of these key controls. For example, the\nCOE\xe2\x80\x99s configuration baselines are not up-to-date, and its configuration changes\nare not documented or approved by the COE manager.\n\nDOT Has Not Implemented a Departmentwide Risk Management\nProgram\n\nOMB requires agencies to implement a risk management program that includes a\ngovernance structure for managing and monitoring risk at three levels: enterprise,\nbusiness process, and system. However, DOT has not created this enterprisewide\ngovernance structure, and only addresses risk at the system level as part of the\ncertification and accreditation process.\n\nSimilarly, OAs, with the exception of NHTSA and the Pipeline and Hazardous\nMaterials Safety Administration (PHMSA), do not have risk management\nprograms and only address risk when accrediting systems. This limited view will\nlikely result in an inadequate understanding and consideration of how information\nsecurity risk, like other organizational risks, affects the likelihood of DOT\nsuccessfully carrying out its missions and business functions.\n\nThe Department\xe2\x80\x99s Capital Planning and Investment Control Process\nDoes Not Adequately Address Security\n\nDuring fiscal year 2012, DOT requested $113 million for IT security from\nOMB\xe2\x80\x94an approximate increase of $15 million over its fiscal year 2011 request.\n\x0c                                                                                                                     11\n\n\nTo ensure an adequate budget for security, OMB requires agencies to plan for and\ntrack information security costs as part of their capital planning process and to link\nthese costs to the agencies\xe2\x80\x99 enterprise architectures. However, DOT\xe2\x80\x99s requests\nwere not supported by a capital planning process or linked to an EA. Furthermore,\nonly NHTSA and SLSDC have a process to estimate security costs (see Table 4).\n\nTable 4: OAs\xe2\x80\x99 IT Security Funding Estimation Process\nOA                   Total IT investment,          Security investment,           Security Cost Estimation\n                                                                                                  a\n                      dollars in millions            dollars in millions                  Process\nFAA                               $2,764.07                          $72.92                    Partial\nFHWA                                    46.99                           6.43                   Partial\nFMCSA                                   24.20                           1.28                   Partial\nFRA                                     18.83                           1.59                   Partial\nFTA                                     18.56                             .46                    No\nMARAD                                   13.35                           1.11                     No\nNHTSA                                   24.74                             .96                   Yes\nOIG                                      3.95                             .09                    No\nOST                                   154.22                           26.92                     No\nPHMSA                                    9.09                             .43                  Partial\n      b\nRITA                                    16.62                             .95                    No\nSLSDC                                      .16                            .04                   Yes\nSTB                                      2.13                               0                    No\nTotal                                  $3097                            $113\nSource: WorkLenz\xe2\x80\x93the Department\xe2\x80\x99s investment portfolio system, as of September 2012.\na\n  An organization\xe2\x80\x99s approach to its selection, management, and evaluation of IT security investments with use of a\n  security model defined in the EA.\nb\n  Research and Innovative Technology Administration\n\nDOT has not provided OAs with guidance on estimating IT security costs or\nimplemented controls to ensure these costs are reasonable. OAs self-report their\nsecurity estimates to OCIO for reporting to OMB and are not accountable for the\nreasonableness of their estimates. OCIO reported that as part of its changes to the\nDepartment\xe2\x80\x99s EA, which it plans to complete by the end of fiscal year 2014, it is\nintegrating IT security into capital planning and investment control. However,\nOCIO provided no plan for these efforts or policy and procedures for the\nintegration of EA and IT security into the capital planning and investment control\nprocess. In addition, OAs reported that they have not received direction from the\nOCIO on the development of the EA. Without a security estimation process linked\nto capital planning and EA, the Department is unable to ensure that funding for\ncritical security needs is cost effective.\n\x0c                                                                                   12\n\n\nDOT\xe2\x80\x99S SYSTEM-LEVEL CONTROLS ARE NOT SUFFICIENT TO\nKEEP SYSTEMS SECURE OR ENSURE RECOVERY\n\nThe Department\xe2\x80\x99s system-level controls are insufficient to protect the systems\xe2\x80\x99\nsecurity and ensure that the systems can be recovered in the event of a serious\nbreach. Persistent deficiencies continue to impede DOT efforts to comply with\nrequirements for C&A and contingency plan testing, shared system security\ncontrols, continuous monitoring of security controls, oversight of contractor-\noperated systems, and controls over remote access and identity and account\nmanagement.\n\nCertification and Accreditation Process and Contingency Plan\nTesting Are Incomplete\n\nAs of September 2012, 11 DOT systems were unaccredited, meaning they were\nnot authorized to operate (see Table 5). OMB Circular A-130, Appendix III,\nSecurity of Federal Automated Information Resources, requires Federal systems to\nbe reauthorized\xe2\x80\x94or reaccredited\xe2\x80\x94at least once every 3 years through a C&A\nprocess. Certification of a system requires assessing risk, planning security, testing\nof minimum security controls, creating plans of actions for identified weaknesses,\nand mitigating risks. An authorizing officer appointed by the agency, typically a\nsenior executive, reviews the certification results and reaccredits the system when\nhe or she determines that the system\xe2\x80\x99s operation poses minimal security risk.\nDOT\xe2\x80\x99s 11 unaccredited systems represent an increase over last year\xe2\x80\x99s 8\nunaccredited systems. Of the 11, 4 have been overdue since 2010 and one since\n2009.\n\nTable 5: DOT Systems with Expired C&A\nOA        System                                                 Expiration   Total\n                                                                      Date Systems\nFMCSA     Analysis and Information                                6/26/3012\n          Safety and Fitness Electronic Records                   5/29/2012\n          SAFETYNET                                               3/16/2012        3\nFRA       Procurement Information System for Management           9/10/2012        1\nNHTSA     FARS                                                    5/14/2012        1\nOST       Correspondence Control Management System               10/31/2010        1\nRITA      Mission Support                                         7/30/2009\n          Transportation Safety Institute Infrastructure          1/02/2010\n          Web                                                     5/31/2010\n          Transtat                                                5/16/2011        4\nSTB       Case Management System                                  11/6/2010        1\nTotal                                                                             11\nSource: OIG Analysis\n\x0c                                                                                                        13\n\n\n\nWe evaluated a random sample of 60 of DOT\xe2\x80\x99s 420 IT systems. 22 We found that\n24 of the 60 sample systems had incomplete C&A documentation, and 31 systems\ndid not receive complete security control testing. Based on these results, we\nestimate that 118 of 420 systems 23 in the DOT universe had incomplete C&A\ndocumentation and 169 24 did not receive complete security control testing (see\nTable 6).\n\nTable 6: Sample Systems\xe2\x80\x99 C&A, Control Testing, and\nContingency Plans\nOA                      Systems       Systems without          Systems without     Systems with deficient\n                          tested        adequate C&A                  complete             or inadequate\n                                                                 control testing contingency plan/testing\nFAA                             22                         3                       5                     8\nFHWA                              5                        2                       5                     2\nFMCSA                             3                        3                       3                     3\nFRA                               2                        2                       0                     1\nFTA                               2                        1                       2                     0\nMARAD                             3                        3                       3                     3\nNHTSA                             2                        0                       0                     0\nOIG                               2                        2                       2                     1\n        a\nOST                             10                         4                       4                     5\nPHMSA                             2                        0                       0                     2\nRITA                              4                        3                       4                     4\nSLSDC                             1                        0                       1                     0\nSTB                               2                        1                       2                     2\nTotal                           60                       24                       31                   31\nSource: OIG Analysis\na\n    For purposes of this report, COE systems are counted under Office of the Secretary.\n\nDOT also lacks a plan for the recovery of its IT systems in the event of a\ndisruption. Both NIST and OMB require Federal agencies to implement plans for\nrecovering their information systems after unforeseen shutdowns. Agencies must\nalso annually test their contingency plans to ensure the plans will function\nproperly when needed. Thirty-one of the 60 systems in our sample had missing or\ninadequate contingency plans or plan testing. Table 7 provides some examples.\n\n\n\n22\n   We selected a random sample of 58, or 4.5 percent, of DOT\xe2\x80\x99s systems. One system was made up of three\n   subsystems, 1) Campus Area Network, 2) Common Operating Environment, and 3) Helpdesk, bringing our sample\n   to 60 systems.\n23\n   Our estimate has a margin of error of +/-38 system or 9.0 percent at the 90 percent level of confidence.\n24\n   Our estimate has a margin of error of +/-44 system or 10.4 percent at the 90 percent level of confidence.\n\x0c                                                                                                                                   14\n\n\nTable 7: Sample Systems\xe2\x80\x99 Contingency Plans Preparation,\nTraining, and Testing Results with Identified Deficiencies by OA\n\n\n\n\n                                                                                MARAD\n\n\n\n\n                                                                                                            PHMSA\n                                                            FMCSA\n\n\n\n\n                                                                                        NHTSA\n\n\n\n\n                                                                                                                           SLSDC\n                                                     FHWA\n\n\n\n\n                                                                                                                    RITA\n                                                                                                      OST\n                                               FAA\n\n\n\n\n                                                                    FRA\n\n\n\n\n                                                                                                                                   STB\n                                                                          FTA\n\n\n\n\n                                                                                                OIG\nDescription a\nBusiness Continuity and Disaster\nRecovery Plan (BCDRP) did not\nexist.                                         X            X       X           X               X     X     X       X              X\nBCDRP not revised to correct\ndeficiencies found during testing.             X     X      X       X     X                     X     X     X       X              X\nContingency exercises tested\nand failed.                                    X            X                           X             X     X       X              X\nContingency plans not tested.                  X            X       X                           X     X             X              X\nContingency test results not\nreported.                                      X     X      X       X                           X     X             X              X\nNo evidence of system backup at\nalternative processing sites.                  X            X       X                                 X             X              X\nSystem backup not in\naccordance with procedures.                    X            X       X     X                     X     X             X              X\nAlternative processing sites\nvulnerable to the same risks as\nprimary sites.                                 X            X       X           X                     X             X      X       X\nNo evidence of risk assessment\nperformed for alternative\nprocessing sites.                              X     X      X                   X               X           X       X              X\nSource: OIG Analysis\na\n    The deficiency described was found in one or more OA\xe2\x80\x99s sample systems that OIG assessed.\n\n\nBased on these results, we estimate that OAs did not complete contingency testing\nfor 202 of DOT\xe2\x80\x99s 420 systems. 25 Without proper C&A, serious system weaknesses\nmay remain unidentified. Consequently, the Department cannot ensure that its\nsystems are reasonably protected against security threats. Furthermore, a lack of\ncomplete contingency testing means that OAs may not be able to recover their\nsystems from unplanned shutdowns in time to minimize business disruption.\n\nDOT Does Not Coordinate the Use of Shared System Security\nControls\n\nNIST requires providers of common controls\xe2\x80\x94security controls that support\nmultiple information systems\xe2\x80\x94to have policies and procedures for their use,\ndocument the controls in a separate security plan, conduct a C&A of the common\ncontrols, monitor their effectiveness, and inform users when changes occur that\n\n25\n     Our estimate has a margin of error of +/-51 or 12.2 percent at the 90 percent level of confidence.\n\x0c                                                                                 15\n\n\nmay adversely affect the protections provided by or expected of these controls.\nNIST also requires that the senior information security officer for the organization\ncoordinate with common control providers to ensure that the required controls are\ndeveloped, implemented, and assessed for effectiveness. However, DOT does not\nhave common control procedures. Furthermore, DOT providers do not have a\nsecurity plan or a formal process to advise users when the common controls are\nnot effective or in place. In addition, system managers who use inherited\ncontrols\xe2\x80\x94a control that is part of a network and used by a software application\nthat resides on the network\xe2\x80\x94frequently do not verify the functionality of the\ncontrol as part of their system accreditation process. Finally, there is no\ncoordination to ensure that the controls are effective. All 13 OAs used common\ncontrols as part of their system C&As, but none had a documented process for the\nuse of the common controls or had verified the functionality of inherited controls.\nThe lack of adequate management of common controls results in numerous\nsystems that have been accredited while relying on missing controls and hence are\noperating at an unacceptable level of risk.\n\nDOT\xe2\x80\x99s Continuous Monitoring of Security Controls Remains\nIneffective\n\nOMB guidance calls for agencies to develop strategies for the continuous\nmonitoring of security control effectiveness. DOT has deferred implementation of\ncontinuous monitoring to the OAs; however, as in previous years, the\nDepartment\xe2\x80\x99s continuous monitoring policy and procedures were not sufficiently\ndetailed to ensure OAs comply with OMB\xe2\x80\x99s guidance. For example:\n\n\xe2\x80\xa2 Four of the 13 OAs\xe2\x80\x94FAA, MARAD, OIG, and OST\xe2\x80\x94continuous monitoring\n  policies and procedures are still in draft form. FHWA and FMCSA have plans,\n  but have not begun to develop continuous monitoring policies and\n  procedures. RITA, SLSDC, and STB either did not have or did not provide\n  documentation that addressed continuous monitoring policies and procedures.\n\xe2\x80\xa2 FAA, FHWA, FMCSA, MARAD, NHTSA, OST, RITA, SLSDC and STB\n  reported that they annually assess selected security controls but do not perform\n  continuous monitoring.\n\xe2\x80\xa2 Thirty sample systems failed our reviews of continuous monitoring processes.\n  These systems are at FAA, FHWA, FMCSA, FTA, MARAD, OST, RITA,\n  SLSDC, and STB.\n\nThe Department\xe2\x80\x99s lack of guidance on continuous control monitoring diminishes\nthe OAs\xe2\x80\x99 abilities to monitor their systems\xe2\x80\x99 security, and to respond quickly to\nnew threats. To address these weaknesses, OCIO has informed us that it recently\nacquired a highly complex software solution, which they are piloting. If properly\n\x0c                                                                                                      16\n\n\nimplemented, this software will allow management to rapidly remediate\nweaknesses and protect systems, and instantaneously report on security status.\n\nOAs Do Not Designate All Contractor-Operated Systems in\nAccordance with OMB Guidance\n\nOMB also requires agencies to maintain up-to-date inventories of their\ninformation systems. 26 These inventories must designate each system as either\n\xe2\x80\x9ccontractor operated\xe2\x80\x9d or \xe2\x80\x9corganization operated,\xe2\x80\x9d based on who manages the\nsystem\xe2\x80\x94the Federal agency or an outside entity. Specifically, contractor operated\nsystems are those that are either fully or partially owned or operated by another\nagency, a contractor, or other entity. For fiscal year 2012, OCIO provided OAs\nnew guidance 27 that includes this definition of contractor operated. However, OAs\nare not designating all their systems in accordance with the guidance. We\ndetermined that 24 of the 60 systems were contractor systems, but only 4 were\ndesignated as such.\n\nBecause contractors or other entities, rather than the OAs, manage the security\ncontrols in contractor operated systems, the systems represent higher risk to the\nDepartment. The lack of an accurate inventory of these systems makes it difficult\nfor the Department to know which systems it is not managing and consequently\npose higher risk.\n\nDOT Lacks a Secure Remote Access Management Program\n\nOMB and NIST provide guidance for agencies on controlling remote access to\ntheir systems, and DOT has incorporated the guidance into its policy. DOT OCIO\npolicy on remote access delegates responsibility to OAs for documenting,\nmanaging, and controlling remote access of the systems under their control. 28\nHowever, the OAs\xe2\x80\x99 remote access controls do not comply with DOT\xe2\x80\x99s policies\nand guidance. For example:\n\n\xe2\x80\xa2 COE, STB, and Volpe do not require the use of multifactor authentication.\n\xe2\x80\xa2 COE, Volpe, FMCSA field sites, and STB do not fully comply with NIST\n  guidance for authorizing, monitoring, and controlling remote access.\n\xe2\x80\xa2 STB reported it has not established a process for securing and monitoring\n  remote devices.\n\n26\n   OMB defines \xe2\x80\x9ccontractor system\xe2\x80\x9d as any system fully or partially provided or managed by another agency,\n   contractor, or other source.\n27\n   DOT FISMA Inventory Guide, 6 June 2012.\n28\n   Remote access management to DOT information and information systems is separated among 7 entities; COE,\n   FMCSA for field sites, OIG, STB, Volpe, USMMA, and FAA. COE manages remote access for these OAs with\n   exception of STB and FMCSA field sites.\n\x0c                                                                                 17\n\n\n\nWithout effective controls over remote access, DOT cannot ensure that only\nauthorized computers and personnel access its information systems or minimize\nrisks of malware on its networks or loss of sensitive information.\n\nDOT Has Not Fully Implemented Use of Personal Identity\nVerification Cards for Multifactor User Identity Authentication for\nSystem Access\n\nOMB required that, by 2012, all Federal personnel use personal identify\nverification (PIV) cards to log on to agency computers for multifactor user identity\nauthentication. In a briefing to the CIO Council in December 2011, the\nDepartment indicated that it would require PIV card login for 75 percent of\ndesktop and laptop users by September 30, 2012. However, as of June 2012, only\n42 percent of DOT\xe2\x80\x99s systems are enabled for user logon with PIVs, and only 7\npercent of the Department\xe2\x80\x99s systems require the use of PIV for user identity\nauthentication. Because DOT does not fully employ multi-factor authentication for\ncomputer users, it is unable to adequately authenticate the identities of all users.\n\nDOT\xe2\x80\x99s Account Management Program Remains Incomplete\n\nWhile the Department is working to resolve the account management issues we\nidentified in our 2011 report, its account management controls still do not meet\nDOT and NIST policies and guidance, exposing DOT to increased risk of\nunauthorized access to information systems. For example:\n\n\xe2\x80\xa2 The Department does not adequately distinguish between user and non-user\n  accounts, as required by NIST. Proper identification of accounts is essential to\n  prevent non-user accounts from being used to gain unauthorized access to the\n  systems.\n\xe2\x80\xa2 The Department does not disable inactive accounts within the departmentally\n  mandated time frame of 60 days.\n\nDOT CONTINUES TO LACK AN EFFECTIVE PROCESS FOR THE\nREMEDIATION OF SECURITY WEAKNESSES\n\nFISMA requires agencies to develop a process to remediate information security\nweaknesses. OMB similarly requires departments to develop POA&Ms for\ndetected system weaknesses and to prioritize remediation based on the seriousness\nof each weakness. OAs designate weaknesses as high, medium, or low priority for\nremediation.\n\x0c                                                                                                                     18\n\n\nHowever, the Department has not improved its management of information\nsecurity weaknesses. Of the 5,265 open POA&Ms, 2,161 were past their due dates\nfor resolution, including 432 that are over a year overdue. These numbers\nrepresent a 7 percentage points increase in incomplete POA&Ms over 2011. We\nalso found that 132 of these open POA&Ms have no completion dates (see\nTable 8).\n\nTable 8: DOT\xe2\x80\x99s Open POA&Ms and Days Overdue, as of July 31,\n2012\n                                              Days Overdue                            Summary of Timeliness\n               Number                                                                         Issues\n     OA        of Open         1\xe2\x80\x9360 61\xe2\x80\x9390 91-120 121\xe2\x80\x93365                   366+      No due     Total    Total\n               POA&Ms                                                                  date overdue, overdue,\n                                                                                             current expected\nCOE                      7         1         0          2            0         4            0            7             0\nFAA                4, 3 97      40 0      12 2        99          51 0      32 9          20       1, 4 80       2, 9 17\nFHWA                    25         6         0          0            1         0            0            7            18\nFMCSA                 29 8      13 0         0          0          79          0          82          29 1             7\nFRA                     26         6         0          0            0       19             1           26             0\nFTA                     30         0         0          0          12          1            0           13            17\nMARAD                 16 9       98          0          4          44          0            0         14 6            23\nNHTSA                    0         0         0          0            0         0            0            0             0\nOIG                     13         0         0          0            0       13             0           13             0\nOST                   11 8       24          0          0          43          4            0           71            47\nPHMSA                   39         9         0          0            0         0          26            35             4\nRITA                    32         0         0          0            0       10             1           11            21\nSLSDC                    3         1         0          0            0         0            0            1             2\nSTB                   10 8         5         0          0            1       52             2           60            48\nTotal              5, 2 65      68 0     12 2        10 5         69 0      43 2         13 2      2, 1 61       3, 1 04\nSource: DOT Open POA&Ms in Cyber Security Assessment and Management (CSAM) system\n\nDepartmental policy requires OAs to record all known weaknesses in the\nDepartment\xe2\x80\x99s CSAM database\xe2\x80\x94a repository meant to facilitate tracking of\nsecurity weaknesses and their remediation. However, we found that 18 of our 60\nsample systems had POA&Ms that OAs had not recorded in CSAM. Based on\nthese results, we estimate that 96 systems out of 420 29 did not have all known\nPOA&Ms recorded in CSAM.\n\nFinally, OMB guidance calls for CIOs to meet with their OAs quarterly to review\nprogress on POA&M completion. From the evidence OCIO provided us, it only\n\n29\n     Our estimate has a margin of error of +/-39 systems or 9.2 percent at the 90 percent level of confidence.\n\x0c                                                                                  19\n\n\nmet with OAs in September 2012, not quarterly. Completing POA&Ms in a timely\nmanner is critical to ensuring that systems are adequately secured and protected\nbecause weaknesses that are unresolved for extended periods of time create the\nrisk of exploitation.\n\nCONCLUSION\n\nProtecting DOT\xe2\x80\x99s information systems is critical for ensuring the Nation\xe2\x80\x99s\ntransportation systems run smoothly and safely and Federal dollars for major\nprograms are used efficiently and appropriately. While DOT has finalized its\ninformation security policy and initiated a number of initiatives to enhance it cyber\nsecurity program, persistent control weaknesses continue to put at risk the\nconfidentiality, integrity, and availability of the Department\xe2\x80\x99s information. These\nweaknesses, many of which are longstanding, also render DOT vulnerable to\nhackers and others who continue to aggressively probe and compromise Federal\nnetworks. Until DOT takes additional actions to correct these weaknesses and\ncomply with Federal requirements, it will continue to expose its IT systems to\nserious security risks.\n\x0c                                                                                20\n\n\nRECOMMENDATIONS\n\nTo help the Department address the challenges in developing a mature and\neffective information security program, we recommend that the Acting Chief\nInformation Officer take the following actions in addition to 21 recommendations\nthat are still open from prior FISMA reports:\n\nInformation Security Policy\n\n1. Work with Operating Administrations to enhance and develop their internal\n   procedures for inheriting controls, continuous monitoring, and capital planning\n   to better address key NIST requirements.\n\nEnterprise-Level Weaknesses\n\n2. Establish timeframes for incident remediation based on risk.\n3. Remove inactive computer devices from the Active Directory databases by (a)\n   requiring the OAs to develop a POA&M to address the removal of such\n   devices in a timely manner, (b) reviewing the adequacy of the POA&Ms, and\n   (c) monitoring the OA\xe2\x80\x99s clean-up process through completion.\n4. Develop, document and approve an enterprise-wide risk management program\n   and strategy as defined by NIST 800-39.\n\nInformation System Security\n\n5. Identify and work with common control providers to develop and implement a\n   security plan that will ensure that systems that inherit common controls are\n   adequately protected and C&A\xe2\x80\x99d.\n\n\nAGENCY COMMENTS AND OIG RESPONSE\n\nA draft of this report was provided to the Department\xe2\x80\x99s Acting CIO on\nNovember 1, 2012. On November 13, 2012, we received the Department\xe2\x80\x99s\nresponse, which can be found in its entirety in the Appendix. In its response, the\nDepartment highlighted the progress it made during fiscal year 2012 to improve its\ncyber security. In addition, the Department outlined its priorities for fiscal year\n2013, and committed to providing us with specific planned actions and milestones\nto address our recommendations.\n\x0c                                                                                 21\n\n\n\n\nACTIONS REQUIRED\n\nIn accordance with Department of Transportation Order 8000.1C, we would\nappreciate receiving your detailed action plans and target dates for the\nrecommendations in this report within 30 calendar days. We will review the\nActing Chief Information Officer\xe2\x80\x99s detailed action plans when provided to\ndetermine whether they satisfy the intent of our recommendations. All corrections\nare subject to follow-up provisions in DOT Order 8000.1.C. We appreciate the\ncourtesies and cooperation of the CIO Office and the Operating Administrations\xe2\x80\x99\nrepresentatives during this audit. If you have any questions concerning this report,\nplease call me at (202) 366-1959; Lou E. Dixon, Principal Assistant Inspector\nGeneral for Auditing and Evaluation, at (202) 366-1427; or Louis C. King,\nAssistant Inspector General for Financial and Information Technology Audits, at\n(202) 366-1407.\n\n\ncc: Deputy Secretary\n    Assistant Secretary for Budget and Programs/Chief Financial Officer\n    CIO Council Members\n    DOT Audit Liaison, M-1\n\x0c                                                                                22\n\n\n\nEXHIBIT A. SCOPE AND METHODOLOGY\nThe Federal Information Security Management Act of 2002 (FISMA) requires us\nto perform an independent evaluation to determine the effectiveness of the\nDepartment\xe2\x80\x99s information security program and practices. FISMA further requires\nthat our evaluation include testing of a representative subset of systems and an\nassessment, based on our testing, of the Department\xe2\x80\x99s compliance with FISMA\nand applicable requirements. On February 15, 2012, the Department of Homeland\nSecurity (DHS) issued FISM 12-02, FY 2012 Reporting Instructions for the\nFederal Information Security Management Act and Agency Privacy Management,\nwhich provides instructions to Inspectors General for the completion of their\nFISMA evaluations and the required DHS template.\n\nTo meet FISMA and OMB requirements, we selected a representative subset of 58\nof 420 departmental systems (see Table 9 below) and reviewed the compliance of\nthese systems with NIST and DHS requirements in the following areas: risk\ncategorization; security plans; annual control testing; contingency planning;\ncertification and accreditation; incident handling; and plans of actions and\nmilestones. To evaluate USGCB/FDCC compliance within the Department, we\nselected a stratified sample of 1,257 out of 82,963 devices to be scanned for\ncompliance. We created a script to extract the test results of FDCC/USGCB\ncontrols from 340 out of 1,257 devices that were available for scanning.\n\nWe evaluated prior year recommendations and supporting evidence to determine\nwhat progress if any was made in the areas of continuous monitoring,\nconfiguration management, risk management, security training, contractor\nservices, and identity and account management. In addition, we also conducted\ntesting to assess the Department\xe2\x80\x99s inventory, its overall process for resolution of\ninformation security weaknesses, configuration management, incident reporting,\nsecurity-awareness training, remote access, security capital planning, and account\nand identity management. Our tests included analysis of data contained in the\nDepartment\xe2\x80\x99s CSAM system, reviews of supporting documentation, and\ninterviews with departmental officials. We conducted this audit between February\nand October 2012 in accordance with generally accepted Government auditing\nstandards. As agreed to with the Department our FISMA review covered through\nyear-ending July 31, 2012.\n\n\n\n\nExhibit A: Scope and Methodology\n\x0c                                                                                       23\n\n\nTable 9: OIG\xe2\x80\x99s Representative Subset of DOT Systems, by OA\nNo.   System                                                       Impact     Contractor\n                                                                                       a\n                                                                   Level      System?\nFederal Aviation Administration\n1     Whistleblower Protection Program                             High          No\n2     Inspector Credentials                                        High          No\n3     Web Operations Safety System                                 High          No\n4     Facility Safety Assessment System-ATO                        Low           No\n5     Bandwidth Manager                                            Moderate      No\n6     AST Local Area Network                                       Moderate      No\n7     Air Route Surveillance Radar Model 4                         Moderate      No\n8     Aircraft Certification Office Subsystem                      Moderate      No\n9     Safety Management Information System                         Moderate      No\n10    Interim Voice Switch Replacement System                      Moderate      No\n11    Advanced Qualification Program                               Low           No\n12    Obstruction Evaluation/Airport Airspace Analysis             Low           No\n13    Safety Issues Reporting System                               Moderate      No\n14    Monitor Safety Analyze Data                                  Moderate      No\n15    FAA Read-Only Data Interface                                 Moderate      Yes\n16    Real Estate Management System                                Moderate      No\n17    ESC Department of Commerce Infrastructure                    Moderate      No\n18    ATO Application Portal                                       Moderate      No\n19    Messaging Services                                           Moderate      No\n20    Data Multiplexing Network                                    Moderate      No\n21    Technical Support Services Contract- Work Release Information Low          No\n      Tracking System\n22    Enhanced Terminal Voice Switch                               Moderate      No\nFederal Highway Administration\n23    Rapid Approval & State Payment System                        High          No\n24    ITD Application and Oracle Database Servers                  High          No\n25    FHWA Organization Information System                         Moderate      No\n26    Motor Fuels and Finance Analysis System \xe2\x80\x93 Highways           Low           No\n27    Federal Lands Labor Cost Distribution Process                Low           No\nFederal Motor Carrier Safety Administration\n28    CDLIS-Gateway                                                Moderate      Yes\n29    Hazardous Material Package Inspection Program                Moderate      No\n30    Performance and Registration Information Systems             Low           No\n      Management\nFederal Railroad Administration\n31    Track Research Instrumentation Platform Information System   Moderate      Yes\n32    Locomotive Engineer Training Simulator                       NC            No\n\n\n\nExhibit A: Scope and Methodology\n\x0c                                                                                                                    24\n\n\nNo.      System                                                                          Impact          Contractor\n                                                                                                                  a\n                                                                                         Level           System?\nFederal Transit Administration\n33       TEAM                                                                            Moderate             No\n34       FTA Inter/Intranet                                                              Moderate             No\nMaritime Administration\n35       Maritime Service Compliance System                                              Moderate             No\n36       Electronic Invoice System                                                       Moderate             No\n37       FOIAXpress                                                                      Low                 Yes\nNational Highway Traffic Safety Administration\n38       EDS                                                                             Moderate             No\n39       Artemis                                                                         Moderate             No\nOffice of Inspector General\n40       US DOT/OIG Infrastructure                                                       Moderate             No\n41       US DOT/OIG TIGR System                                                          Moderate             No\nOffice of the Secretary of Transportation\n42       Drug and Alcohol Testing Management Information System                          Moderate             No\n43       Facilities and Building Management System                                       Moderate             No\n44        Web Printing System                                                            Moderate             No\n45       CASTLE                                                                          Moderate             No\n46       Cyber Security Assessment and Management                                        High                 No\n47       Security Operations Systems                                                     High                 No\nPipelines and Hazardous Materials Safety Administration\n48       Hazardous Materials Information System                                          Moderate             No\n49       PHMSA Portal System                                                             Moderate             No\nResearch and Innovative Technology Administration\n50       RITA Mission Support                                                            Low                  No\n51       IEC Data Warehouse                                                              Moderate             No\n52       Transtats                                                                       High                 No\n53       Airline Reporting Data Information System                                       High                 No\nSaint Lawrence Seaway Development Corporation\n54       Financial Management System                                                     Low                  No\n                                        b\nSurface Transportation Board\n55       Case Management System                                                          Moderate             No\n56       Local Area Network                                                              Moderate             No\nCommon Operating Environment\n57       Common Operating Environment                                                    High                 No\n58       Business Communications System                                                  Moderate             No\nSource: OIG\na\n    DOT Cyber security Definition of Contractor System\nb\n    For purpose of this report, STB were selected as part of the sample. Exhibit C defines STB obligation to comply with\n     DOT requirements.\n\n\n\n\nExhibit A: Scope and Methodology\n\x0c                                                                                25\n\n\n\nAs required, we submitted to OMB qualitative assessments pertaining to DOT\xe2\x80\x99s\ninformation security program and practices. In addition to the preparation of our\nsubmission, we reviewed the Department\xe2\x80\x99s progress in resolution of weaknesses\nand implementation of recommendations identified in our prior FISMA reports.\n\nWe performed our information security review work between February 2012 and\nOctober 2012. We conducted our work at departmental and OA Headquarters\'\noffices in the Washington, D.C. We conducted our audit in accordance with\ngenerally accepted Government auditing standards. Those standards require that\nwe plan and perform the audit to obtain sufficient, appropriate evidence to provide\na reasonable basis for our findings and conclusions based on our audit objectives.\nWe believe that the evidence obtained provides a reasonable basis for our findings\nand conclusions based on our audit objectives.\n\nGenerally accepted government auditing standards require us to disclose\nimpairments of independence or any appearance thereof. OMB requires that the\nFISMA template include information from all DOT OAs, including OIG. Because\nthe OIG is a small component of the Department, based on number of systems,\nany testing pertaining to the OIG or its systems does not impair our ability to\nconduct this mandated audit.\n\nPrevious audit reports on the Department\xe2\x80\x99s information security program issued in\nresponse to FISMA\'s mandate include the following:\n\n\xe2\x80\xa2 Persistent Weaknesses in DOT\'s Controls Challenge the Protection and\n  Security of its Information Systems, FI-2012-007, November 14, 2011\n\xe2\x80\xa2 Timely Actions Needed to Improve DOT\'s Cybersecurity, FI-2011-022,\n  November 15, 2010\n\xe2\x80\xa2 Audit of DOT\'s Information Security Program and Practices, FI-2010-023,\n  November 18, 2009\n\xe2\x80\xa2 DOT Information Security Program, FI-2009-003, October 8, 2008\n\xe2\x80\xa2 DOT Information Security Program, FI-2008-001, October 10, 2007\n\xe2\x80\xa2 DOT Information Security Program, FI-2007-002, October 23, 2006\n\xe2\x80\xa2 DOT Information Security Program, FI-2006-002, October 7, 2005\n\xe2\x80\xa2 DOT Information Security Program, FI-2005-001, October 1, 2004\n\xe2\x80\xa2 DOT Information Security Program, FI-2003-086, September 25, 2003\n\xe2\x80\xa2 DOT Information Security Program, FI-2002-115, September 27, 2002\n\xe2\x80\xa2 DOT Information Security Program, FI-2001-090, September 7, 2001\n\n\n\n\nExhibit A: Scope and Methodology\n\x0c                                                                                   26\n\n\nEXHIBIT B. Status of Prior Year\xe2\x80\x99s Recommendations\n\nTable 10: OIG Recommendations for Fiscal Year 2011, and Their\nStatus\nNo. Status   Recommendation\n1   Partially Address these policy and procedural weaknesses:\n    Closed \xe2\x80\xa2 Issue information security policy for OST,\n              \xe2\x80\xa2 Enhance existing policy to address security awareness training for\n                 non-computer users, address security costs as part of capital\n                 planning, correct the definition of "government system", and address\n                 the identification, monitoring, tracking and validation of users and\n                 equipment that remotely access DOT networks and applications.\n              \xe2\x80\xa2 In conjunction with the OA CIOs, execute a strategy to ensure that\n                 sufficient procedural guidance exists for DOT and the OAs.\n2   Open     In conjunction with OA CIOs, establish incident monitoring and detection\n             capabilities to include all of the Department\'s systems and facilitate\n             central and real-time reporting.\n3   Open     In conjunction with OA CIOs, create, complete or test contingency plans\n             for deficient systems.\n4   Closed In conjunction with OA CIOs, verify that backup media are properly\n           secured and regularly tested.\n5   Open     In conjunction with OA CIOs, verify that minimum security controls are\n             adequately tested for deficient systems.\n\n\n\n\nExhibit B. St atus of Prior Year\xe2\x80\x99s Recommendations\n\x0c                                                                                      27\n\n\nTable 11: OIG Recommendations for Fiscal Year 2010, and Their\nStatus\nNo. Status   Recommendation\n1   Closed Address these policy and procedural weaknesses:\n           \xe2\x80\xa2 Develop procedural guidance for the C&A process. In addition, modify\n             existing certification and accreditation policy and procedures to\n             address inheritance of common information security controls, and to\n             provide procedural guidance to modes.\n           \xe2\x80\xa2 Correct POA&M policy to prioritize weaknesses in a way that ensures\n             that high priority weaknesses are resolved before medium priorities,\n             and medium ones before low ones. In addition, develop procedural\n             guidance to ensure consistency of the POA&M process and to facilitate\n             CIO\'s oversight and management of weaknesses.\n           \xe2\x80\xa2 In conjunction with the modes, develop procedural guidance for\n             tracking and training personnel with significant security responsibilities.\n             This guidance should address maintaining complete inventories of\n             such personnel, and the training needed and provided.\n           \xe2\x80\xa2 Enhance high-level policy with procedural guidance to ensure\n             consistency of the network accounts and identity management.\n           \xe2\x80\xa2 In conjunction with the Assistant Secretary for Administration, complete\n             Department-wide PIV operating procedures, including procedures to\n             terminate PIV cards.\n           \xe2\x80\xa2 Review and revise all configuration management policy and develop\n             specific details for activities that are common across the department.\n             As part of this effort, develop procedural guidance that would define\n             requirements for OAs to use when developing configuration\n             management procedures specific to their operation.\n           \xe2\x80\xa2 Develop procedural guidance that would define requirements for OAs\n             to use when developing incident handling procedures specific to their\n             operation.\n           \xe2\x80\xa2 Enhance policy and procedural guidance to incorporate detailed\n             guidance for managing, monitoring and reporting FDCC compliance,\n             including the use of SCAP tools to ensure FDCC compliance. Once\n             policy adequately addresses contractor oversight per Recommendation\n             4 of last year\'s report, develop relevant procedural guidance. This\n             policy should establish the criteria and guidelines for DOT\xe2\x80\x99s\n             identification and reporting of contractor systems consistent with OMB\n             requirements\n           \xe2\x80\xa2 Enhance high-level policy with procedural guidance to ensure remote\n             access and wireless networking is authorized, managed and monitored\n             in compliance with OMB, NIST and DOT policies.\n2   Closed To the extent the OAs require their own guidance, review guidance to\n           verify compliance with department policies and procedures.\n3   Closed Implement a quality assurance process to review OA\n           specific configuration management procedures to ensure that they adhere\n           to the departmental policy and Federal requirements.\n\n\n\n\nExhibit B. St atus of Prior Year\xe2\x80\x99s Recommendations\n\x0c                                                                                        28\n\n\nNo. Status    Recommendation\n4    Open     Implement a process to review OAs security configuration management\n              practices and software scanning capabilities. Provide monitoring of OAs\n              practices to ensure they are adhering to the policy and practices.\n5    Closed Require OST to implement required system patches on their Delphi\n            system.\n6    Open     Conduct scanning of all DOT networks to ensure compliance with FDCC\n              requirements. In addition, review results of modal SCAP compliance\n              scans to identify and resolve incorrect FDCC settings.\n7    Closed Require and approve deviation requests for those non-conforming\n            settings that are truly needed and for which risks have been mitigated and\n            accepted.\n8    Open     Conduct periodic tests to assess FDCC compliance and deployment of\n              patches, including service packs.\n9    Open     Analyze the incorrect FDCC configuration settings identified in our testing,\n              and for those that do not have approved deviations, require OAs to create\n              POA&Ms to correct the settings.\n10   Closed Implement a practice to review OA specific incident handling procedures\n            to ensure that they adhere to the departmental policy.\n11   Closed Implement a process to review reported incidents to ensure timely\n            reporting to US-CERT. In addition, provide monitoring of incidents\n            reported to ensure all required data in the tracking system(s) is up-to-date\n            for incidents sent and data received back for US-CERT.\n12   Open     Review FHWA, FMCSA, FRA, FTA and RITA automated scans\n              confirming timely resolution of vulnerabilities. If deficiency is found\n              require OA to provide corrective action and to update plan of actions and\n              milestone to address weakness.\n13   Closed Require OAs to reconcile their contractor records with DOT security\n            department and update their records accordingly. Monitor and report to\n            the Deputy Secretary, Operating Administrations\xe2\x80\x99 progress in resolving\n            the discrepancy with their contractor records and DOT security\n            department.\n14   Open     Identify and implement automated tools to better track contractors and\n              training requirements.\n15   Closed In conjunction with the MARAD, create a POAM for each system that is\n            missing a certification and accreditation. This POAM should be properly\n            prioritized to ensure this critical matter is immediately addressed.\n16   Closed In conjunction with MARAD, promptly update Cyber Security Assessment\n            and Management (CSAM) system to reflect its current system inventory\n            and related information (including status of certification and accreditation).\n17   Closed Work with MARAD to finalize agreements with C&A service providers to\n            certify MARAD systems.\n18   Open     Review the results of OA assessments to determine an accurate\n              inventory of contractor systems.\n\n\n\n\nExhibit B. St atus of Prior Year\xe2\x80\x99s Recommendations\n\x0c                                                                                            29\n\n\nNo. Status    Recommendation\n19   Closed Work with the Department\'s acquisition personnel to develop common\n            contract language that requires IT contractors to enforce applicable\n            FISMA and OMB requirements. Once this language is approved, review\n            all new planned IT acquisitions, prior to award, to verify that this clause is\n            contained in the statement of work or comparable document.\n20   Open     Research and standardize automated tools that will proactively monitor\n              remote devices connecting to DOT networks.\n21   Open     Conduct tests of remote access solutions to ensure they comply with\n              Federal requirements and DOT guidance.\n22   Closed In conjunction with the Assistant Secretary for Administration, develop a\n            Department-wide implementation plan that specifies resources needed,\n            responsible parties, strategies for risk mitigation, etc., to ensure that all\n            employees and contractors receive PIV cards by December 31, 2010.\n23   Open     Implement the use of PIV cards as the primary authentication mechanism\n              to support multi-factor authentication at the system and application level\n              for all DOT\'s employees and contractors.\n24   Closed Perform periodic reviews of active user accounts and network devices to\n            identify accounts that need to be disabled.\n25   Closed Work with OAs to identify and logically segregate user accounts and\n            service (role) accounts.\n26   Closed Work with OAs to implement automated mechanisms to disable inactive\n            accounts, as specified by DOT policies, and to audit account creation,\n            modification, disabling, and termination actions.\n27   Open     Educate and assist OAs in implementing dual accounts for administrators.\n              Subsequently, conduct reviews to determine that all DOT GSSs use\n              these accounts.\nSource: OIG\n\n\n\n\nExhibit B. St atus of Prior Year\xe2\x80\x99s Recommendations\n\x0c                                                                                          30\n\n\nTable 12: OIG Recommendations for Fiscal Year 2009, and Their\nStatus\nNo. Status    Recommendation\n1    Closed Revise the incident response policy to identify conditions under which\n            incidents should be reported to law enforcement (i.e., OIG), how the\n            reporting should be performed, what evidence should be collected, and\n            how it should be collected\n2    Closed Revise the security awareness and training policy to include the\n            identification of all users, such as employees, contractors, and others\n            requiring access to DOT information systems. Include provisions in the\n            policy to separate these active user accounts from the non-person\n            accounts.\n3    Closed Revise training policy to list the job functions that require specialized\n            security training and the type of specialized training that is required for\n            those job functions as described in NIST SP 800-16.\n4    Closed Revise policy to address security of information and information systems\n            managed by contractors, including information security roles and\n            responsibilities, security control baselines and rules for departures from\n            baseline, and rules of behavior for contractors and minimum\n            repercussions for noncompliance.\n5    Closed Revise the interface agreement policy to incorporate necessary elements,\n            such as purpose of the interconnection, description of security controls,\n            schematic of interconnection, timelines for terminating or reauthorizing the\n            interconnection, and authority of establishing the interconnection.\n6    Closed Revise the plan of action and milestones policy to address all the OMB\n            requirements, including description of weakness, scheduled completion\n            date, key milestones, changes to milestones, source of the weakness,\n            and status.\n7    Closed Ensure that the Federal Aviation Administration, Saint Lawrence Seaway\n            Development Corporation, and Pipeline and Hazardous Materials Safety\n            Administration have deployed DOT approved configuration baselines and\n            tools to assess implementation status.\n8    Open     Use automated tools to periodically verify status of completion reported by\n              Operating Administrations and identify deviations from the approved\n              baseline configurations.\n     Closed Require Operating Administrations to manage identified deviations from\n9           approved baseline configurations by tracking and resolving significant\n            baseline configuration weaknesses in plan of actions and milestones.\n10   Closed Work with Operating Administration Chief Information Officers to ensure\n            that all new IT contracts include the acquisition language on common\n            security configurations as required by DOT and OMB M-07-18.\n11   Closed Work with the CSMC to develop a process to ensure that all Department\n            of Homeland Security reference numbers are received and entered into\n            the DOT tracking system for confirmation.\n12   Closed Develop and establish a tracking system that effectively and routinely\n            accounts for all active contractors requiring security awareness training.\n\n\nExhibit B. St atus of Prior Year\xe2\x80\x99s Recommendations\n\x0c                                                                                       31\n\n\nNo. Status    Recommendation\n13   Closed Develop a mechanism to enforce that all employees including contractors\n            with login privileges have completed the required annual security\n            awareness training in order to gain and maintain access to Department\n            information systems.\n14   Closed Identify and ensure all employees with significant security responsibilities\n            take the necessary specialized security training to fulfill their\n            responsibilities.\n15   Closed Monitor, and report to the Deputy Secretary, Operating Administrations\xe2\x80\x99\n            progress in resolving long overdue security weaknesses, reestablishing\n            target completion dates in accordance with departmental policy, providing\n            cost estimation for fixing security weaknesses, prioritizing weaknesses,\n            and recording all identified security weaknesses in plan of actions and\n            milestones.\n16   Open     Ensure accurate information is used to monitor Operating Administrations\xe2\x80\x99\n              progress in correcting security weaknesses.\n17   Close    Require Chief Information Security Officer and Operating Administrations\n              conduct a review to identify all interfaces with systems external to the\n              Department, ensure related security agreements are adequate, and track\n              them in the Cyber Security Assessment and Management system.\n18   Closed Ensure that Maritime Administration properly inventories its information\n            systems and tracks them in the Cyber Security Assessment and\n            Management system. (MARAD)\n19   Closed Ensure that Maritime Administration certifies and accredits each system in\n            the revised inventory. (MARAD)\n20   Open     Improve its quality assurance checks on the Operating Administrations\xe2\x80\x99\n              certifications and accreditations by increasing the frequency and scope of\n              its checks, communicating results and expected actions to the Operating\n              Administrations, requiring updated plan of actions and milestones to\n              address weaknesses noted (including those found in the Inspector\n              General reviews), and follow-up on resolution of weaknesses noted.\n21   Closeda Require Federal Aviation Administration, Federal Highway Administration,\n             Federal Railroad Administration, Maritime Administration, Office of the\n             Secretary of Transportation and Pipelines and Hazardous Materials\n             Safety Administration to conduct system contingency testing of the\n             systems that did not have evidence that of such tests.\n22   Open     Develop a process to ensure Operating Administrations continuously\n              monitor and test information system security controls.\n23   Closed Finalize the inventory count for systems containing privacy information.\n24   Closed Work with Operating Administrations to complete privacy impact\n            assessments for applicable information systems.\n25   Closed Work with the Federal Aviation Administration to establish a reasonable\n            target date for the completion of the reduction of social security numbers\n            recorded in its systems.\n26   Closedb Implement 2-factor authentication for remote access.\n\n\n\nExhibit B. St atus of Prior Year\xe2\x80\x99s Recommendations\n\x0c                                                                                     32\n\n\nNo. Status   Recommendation\n27 Open        Implement NIST-approved encryption on all mobile computers/devices.\nSource: OIG\na\n  Replaced with 2011 Recommendation No. 3\nb\n  Merged into 2010 Recommendation No. 23\n\n\n\n\nExhibit B. St atus of Prior Year\xe2\x80\x99s Recommendations\n\x0c                                                                                                                       33\n\n\n\nEXHIBIT C. DOT OPERATING ADMINISTRATIONS AND SYSTEM\nINVENTORY COUNTS\n\nTable 13: OA System Inventory Counts for Fiscal Years 2012 and\n2011\n                                                                                                 Fiscal Year\n                   a\n    Organization                                                                          2012                  2011\n    Federal Aviation Administration (FAA)                                                283                    297\n    Federal Highway Administration (FHWA)                                                  21                     21\n    Federal Motor Carrier Safety Administration (FMCSA)                                    18                     18\n    Federal Railroad Administration (FRA)                                                  14                     13\n    Federal Transit Administration (FTA)                                                     5                     5\n    Maritime Administration (MARAD)                                                        20                     25\n    National Highway Traffic Safety Administration (NHTSA)                                 10                     11\n    Office of Inspector General (OIG)                                                        2                     2\n                                         b\n    Office of the Secretary (OST)                                                          30                     31\n    Pipeline and Hazardous Materials Safety Administration\n                                                                                             7                     5\n    (PHMSA)\n    Research and Innovative Technology Administration (RITA)                               15                     14\n    Saint Lawrence Seaway Development Corporation (SLSDC)                                    1                     1\n                                                  c\n    Surface Transportation Board (STB)                                                       2                     2\nTotal Systems                                                                            428                    445\nSource: OIG, and DOT CSAM as of August 6, 2010\na\n    For purposes of reporting under FISMA, we consider "Operating Administrations" to include all organizations listed\n   above.\nb.\n   For purposes of reporting under FISMA COE systems are counted under Office of the Secretary.\nc.\n    Under 49 U.S.C., Subtitle I, Chapter 7 -- In the performance of STB functions, the members, employees, and other\n   personnel of the Board shall not be responsible to or subject to the supervision or direction of any officer, employee,\n   or agent of any other part of the Department of Transportation. Accordingly, STB is not obligated to utilize IT\n   security policies or procedures provided by the Department of Transportation.\n\n\n\n\nExhibit C: DO T Operating Administrations and System Inventory\nCounts\n\x0c                                                                       34\n\n\n\nEXHIBIT D. MAJOR CONTRIBUTORS TO THIS REPORT\nName                        Title\n\nNathan Custer               Program Director\n\nMichael Marshlick           Project Manager\n\nGerald Steere               Supervisory Information Technology Specialist\n\nMartha Morrobel             Information Technology Specialist\n\nTracy Colligan              Information Technology Specialist\n\nJenelle Morris              Information Technology Specialist\n\nJason Mott                  Information Technology Specialist\n\nJames Mullen                Information Technology Specialist\n\nMitch Balakit               Information Technology Specialist\n\nNileshkumar Patel           Information Technology Specialist\n\nLaKarla Lindsay             Referencer\n\nPetra Swartzlander          Senior Statistician\n\nMegha P. Joshipura          Statistician\n\nKaren Sloan                 Communications Analyst\n\nSusan Neill                 Writer-Editor\n\n\n\n\nExhibit D. Major Contributors to This Report\n\x0c                            35\n\n\n\nAPPENDIX. AGENCY COMMENTS\n\n\n\n\nAppendix. Agency Comments\n\x0c                            36\n\n\n\n\nAppendix. Agency Comments\n\x0c                            37\n\n\n\n\nAppendix. Agency Comments\n\x0c'